What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-02-17 13:00:00 | Briller une lumière sur la solarcité: exploitation pratique du dispositif X2E IoT (deuxième partie) Shining a Light on SolarCity: Practical Exploitation of the X2e IoT Device (Part Two) (lien direct) |
Dans cet article, nous continuons notre analyse du Solarcity ConnectPort X2E Appareil ZigBee (appelé tous les appareils X2E).Dans partie un , nous avons discuté du x2e à un niveau élevé, effectué des attaques initiales basées sur le réseau, puis a discuté des techniques matérielles utilisées pour obtenir un shell distant sur le périphérique X2E en tant qu'utilisateur système non priviaire.Dans ce segment, nous couvrons comment nous avons obtenu une coquille privilégiée sur l'appareil localement en utilisant des attaques de glitch, et explorer CVE-2020-12878 , une vulnérabilité que nous avons découverte qui a permis une escalade de privilège à distance à l'utilisateur root .Combiné avec cve-2020-9306
In this post, we continue our analysis of the SolarCity ConnectPort X2e Zigbee device (referred to throughout as X2e device). In Part One, we discussed the X2e at a high level, performed initial network-based attacks, then discussed the hardware techniques used to gain a remote shell on the X2e device as a non-privileged system user. In this segment, we\'ll cover how we obtained a privileged shell on the device locally using power glitching attacks, and explore CVE-2020-12878, a vulnerability we discovered that permitted remote privilege escalation to the root user. Combined with CVE-2020-9306 |
Vulnerability Industrial | ★★★★ | |
 |
2020-10-07 18:31:39 | Amazon Wants to \'Win at Games.\' So Why Hasn\'t It? (lien direct) | After brute-forcing its way to dominance in so many industries, the tech leviathan may finally have met its match. | Industrial | APT 40 | |
 |
2020-10-04 09:35:41 | Security Affairs newsletter Round 284 (lien direct) | A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box. Apple addresses four vulnerabilities in macOS Google removes 17 Joker -infected apps from the Play Store Microsoft took down 18 Azure AD apps used by Chinese Gadolinium APT Mount Locker […] | Industrial | APT 40 | |
|
2020-09-29 08:01:01 | Dans la poursuite d'une visualisation Gestalt: fusion de l'agent à mitre ATT & CK & Reg;Pour l'entreprise et les CI, communiquer les comportements adversaires In Pursuit of a Gestalt Visualization: Merging MITRE ATT&CK® for Enterprise and ICS to Communicate Adversary Behaviors (lien direct) |
mise à jour (10 décembre): Ce message a été mis à jour pour refléter les modifications de la matrice de mitre ATT & amp; CK pour l'entreprise, qui comprend désormais des tactiques supplémentaires.
Comprendre les menaces de plus en plus complexes auxquelles sont confrontés les organisations d'infrastructures industrielles et critiques n'est pas une tâche simple.Alors que les acteurs de menaces très qualifiés continuent de se renseigner sur les nuances uniques de la technologie opérationnelle (OT) et les systèmes de contrôle industriel (CI), nous observons de plus en plus les attaquants explorant une diversité de méthodes pour atteindre leurs objectifs.Les défenseurs sont confrontés au défi de l'analyse systématique des informations de ces incidents
Update (Dec. 10): This post has been updated to reflect changes in MITRE ATT&CK Matrix for Enterprise, which now includes additional tactics. Understanding the increasingly complex threats faced by industrial and critical infrastructure organizations is not a simple task. As high-skilled threat actors continue to learn about the unique nuances of operational technology (OT) and industrial control systems (ICS), we increasingly observe attackers exploring a diversity of methods to reach their goals. Defenders face the challenge of systematically analyzing information from these incidents |
Threat Industrial | ★★★ | |
|
2020-09-27 09:28:15 | Microsoft took down 18 Azure AD apps used by Chinese Gadolinium APT (lien direct) | Microsoft removed 18 Azure Active Directory applications from its Azure portal that were created by a Chinese-linked APT group Gadolinium. Microsoft announced this week to have removed 18 Azure Active Directory applications from its Azure portal that were created by a China-linked cyber espionage group tracked as APT group Gadolinium (aka APT40, or Leviathan). The 18 […] | Industrial | APT 40 | |
 |
2020-09-24 21:09:50 | Microsoft removed 18 Azure AD apps used by Chinese state-sponsored hacker group (lien direct) | Azure AD apps were abused by the Gadolinium (APT40) group to attack Microsoft Azure customers. | Industrial | APT 40 | |
|
2020-08-25 04:00:00 | Une introduction pratique à l'approche de Mandiant \\ S à l'équipe d'OT Red A Hands-On Introduction to Mandiant\\'s Approach to OT Red Teaming (lien direct) |
Les propriétaires d'actifs de technologie opérationnelle (OT) ont historiquement considéré que les réseaux rouges de l'OT et du système de contrôle industriel (ICS) sont trop risqués en raison du potentiel de perturbations ou d'impact négatif sur les systèmes de production.Bien que cet état d'esprit soit resté largement inchangé depuis des années, l'expérience de Mandiant dans le domaine suggère que ces perspectives changent;Nous fournissons de plus en plus de valeur aux clients en faisant équipe en toute sécurité en associant leurs réseaux de production OT.
Cette volonté croissante de l'équipe rouge de l'OT est probablement motivée par quelques facteurs, notamment le nombre croissant et
Operational technology (OT) asset owners have historically considered red teaming of OT and industrial control system (ICS) networks to be too risky due to the potential for disruptions or adverse impact to production systems. While this mindset has remained largely unchanged for years, Mandiant\'s experience in the field suggests that these perspectives are changing; we are increasingly delivering value to customers by safely red teaming their OT production networks. This increasing willingness to red team OT is likely driven by a couple of factors, including the growing number and |
Industrial | ★★★★ | |
|
2020-07-15 10:00:00 | Les acteurs à motivation financière étendent l'accès à l'OT: analyse des listes de mise à mort qui incluent des processus OT utilisés avec sept familles de logiciels malveillants Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families (lien direct) |
Mandiant Threat Intelligence a recherché et rédigé de nombreuses recherches sur l'activité de menace financière croissante impactant directement les réseaux de technologie opérationnelle (OT).Certaines de ces recherches sont disponibles dans nos précédents articles de blog sur post-compromise industrielleRansomware Et approche de Fireeye \\ pour la sécurité OT .Bien que la plupart des acteurs derrière cette activité ne se différencient probablement pas entre celui-ci et l'OT ou ont un intérêt particulier pour les actifs OT, ils sont motivés par le but de gagner de l'argent et ont démontré les compétences nécessaires pour fonctionner dans ces réseaux.Par exemple, le changement vers
Mandiant Threat Intelligence has researched and written extensively on the increasing financially motivated threat activity directly impacting operational technology (OT) networks. Some of this research is available in our previous blog posts on industrial post-compromise ransomware and FireEye\'s approach to OT security. While most of the actors behind this activity likely do not differentiate between IT and OT or have a particular interest in OT assets, they are driven by the goal of making money and have demonstrated the skills needed to operate in these networks. For example, the shift to |
Malware Threat Industrial | ★★★★ | |
|
2020-03-23 07:00:00 | Surveillance des outils de cyber-opération ICS et des modules d'exploitation de logiciels pour anticiper les menaces futures Monitoring ICS Cyber Operation Tools and Software Exploit Modules To Anticipate Future Threats (lien direct) |
Il n'y a eu qu'un petit nombre de cyberattaques largement documentées ciblant les technologies opérationnelles (OT) / systèmes de contrôle industriel (ICS) au cours de la dernière décennie.Bien que moins d'attaques soit clairement une bonne chose, l'absence d'une taille d'échantillon adéquate pour déterminer les seuils de risque peut rendre difficile pour les défenseurs de comprendre l'environnement de menace, de hiérarchiser les efforts de sécurité et de justifier l'allocation des ressources.
Pour résoudre ce problème, Fireeye Mandiant Threat Intelligence produit une gamme de rapports pour abonnement Les clients qui se concentrent sur différents indicateurs pour prédire les menaces futures
There has only been a small number of broadly documented cyber attacks targeting operational technologies (OT) / industrial control systems (ICS) over the last decade. While fewer attacks is clearly a good thing, the lack of an adequate sample size to determine risk thresholds can make it difficult for defenders to understand the threat environment, prioritize security efforts, and justify resource allocation. To address this problem, FireEye Mandiant Threat Intelligence produces a range of reports for subscription customers that focus on different indicators to predict future threats |
Tool Threat Industrial Prediction | ★★★★ | |
 |
2020-03-22 00:00:00 | Comment l'IoT industriel pourrait déclencher le prochain cyber-catastrophieffect d'urgence / 11 sur l'industrie manufacturière américaine révèle 7 milliards de dollars pour les eaux autres How Industrial IoT could Trigger the Next Cyber CatastropheEffect of URGENT/11 on the US Manufacturing Industry Reveals $7 Billion ExposureRead More (lien direct) |
IntroductionOn 29th July 2019, the cyber security firm Armis announced that it had found eleven different vulnerabilities in the operating system âVXworksâ which they believe exposed around 200 million critical devices. The team at Armis dubbed this group of vulnerabilities: URGENT/11. This report explores how the discovery of URGENT/11 demonstrates the susceptibility of global manufacturing businesses to large losses from a cyber-attack event and the potential impact on commercial P&C (re)insurers.âThe Operating System at the Heart of the IssueVxWorks is a widely used, but lesser known, lightweight IoT real-time operating system (RTOS). This operating system is embedded in over 2 billion devices in the US and worldwide. These range from large-scale industrial machinery controlling installations such as nuclear power stations and oil production platforms, to smaller systems throughout the worldâs automotive, aviation, agri-business, textile, logistics and pharmaceutical facilities. A malicious attack could affect what is known as the SupervisoryControl and Data Acquisition (SCADA), the system that allows industrial organizations to gather and monitor real-time data in their manufacturing and distribution systems. Critically, VxWorks is also part of what are known as Industrial Control Systems (ICS) â software that manages the industrial processes themselves.âNot a Quick FixAs with any type of software vulnerability, affected organizations need to patch vulnerabilities quickly. However, in the case of URGENT/11, the necessary patches can be very expensive to apply immediately, because the affected devices are critical to day-to-day operations. Patching a vulnerability requires stopping or interrupting the device, which could lead to significant business disruption. Furthermore, while very large organizations have the financial and technical resources to implement system patches quickly, smaller manufacturers â who may nevertheless be critical to the supply chain â often do not. They may buy equipment that happens to contain VxWorks, but do not expect to have to maintain the software or even be aware of its existence.âQuantifying URGENT/11âs Potential Loss Scenarios for the US Manufacturing IndustryTo understand the extent of companies that were vulnerable to URGENT/11, their susceptibility to being attacked, and the effect an attack might have industry wide, Kovrr deployed its proprietary technologies. The first step was to gather real-time information about the distribution of VxWorks in the US manufacturing sector. To achieve this, Kovrr leveraged its ability to continuously collect relevant business intelligence, cyber threat intelligence, external and internal security data. As a result, we were able to identify companies with devices that were utilizing the VxWorks operating system. For internal mapping, access to multiple security vendors\' data is essential because each vendor has its own expertise and distribution, in terms of geolocation, served industries, defense level focus, mapped devices, etc. In the case below involving an industrial sector, unique data focused on IoT devices is needed. Kovrr partners with a diverse range of data providers to detect and map beyond the firewall devices and security control mechanisms. By having access to Armis\' proprietary IoT fingerprinting technology, we were able to produce a highly granular map of any IoT device being used by one organization.We can then accurately assess any IoT related emerging vulnerability on clients\' portfolios. In order to understand the nature of these businesses, including their sector, size and place in the supply chain; we use publicly available information linked to a variety of proprietary data-sources including our own. This technique is similar in principle to the exposure-data cleansing and augmentation used by catastrophe modelers. Having developed a sophisticated view of the affected businesses, we have selected a series of events fro | Ransomware Vulnerability Threat Industrial Prediction | ★★★★ | |
|
2020-03-16 10:30:00 | Ils viennent dans la nuit: tendances de déploiement des ransomwares They Come in the Night: Ransomware Deployment Trends (lien direct) |
Ransomware est un shakedown numérique éloigné.Il est perturbateur et coûteux, et il affecte toutes sortes d'organisations, à partir de Cutting Edge Technologie spatiale Firms, aux Woolindustrie , à | Ransomware Threat Industrial | ★★★ | |
|
2020-02-24 23:30:00 | Ransomware contre la machine: comment les adversaires apprennent à perturber la production industrielle en le ciblant et en OT Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT (lien direct) |
Depuis au moins 2017, il y a eu une augmentation significative des divulgations publiques des incidents de ransomwares ayant un impact sur la production industrielle et les organisations d'infrastructures critiques.Des familles de ransomwares bien connues comme Wannacry,Lockergoga, Megacortex, Ryuk, Maze, et maintenant Snakehose (alias Snake / Ekans), ont des victimes de coûts dans une variété de verticales de l'industrie plusieurs millions de dollarsen rançon et en coûts de garantie.Ces incidents ont également entraîné des perturbations et des retards importants sur les processus physiques qui permettent aux organisations de produire et de fournir des biens et services.
tandis que beaucoup
Since at least 2017, there has been a significant increase in public disclosures of ransomware incidents impacting industrial production and critical infrastructure organizations. Well-known ransomware families like WannaCry, LockerGoga, MegaCortex, Ryuk, Maze, and now SNAKEHOSE (a.k.a. Snake / Ekans), have cost victims across a variety of industry verticals many millions of dollars in ransom and collateral costs. These incidents have also resulted in significant disruptions and delays to the physical processes that enable organizations to produce and deliver goods and services. While lots |
Ransomware Industrial | Wannacry | ★★★ |
|
2020-02-10 08:28:13 | Malaysia\'s MyCERT warns cyber espionage campaign carried out by APT40 (lien direct) | Malaysia’s MyCERT issued a security alert to warn of a hacking campaign targeting government officials that was carried out by the China-linked APT40 group. Malaysia’s Computer Emergency Response Team (MyCERT) warns of a cyber espionage campaign carried out by the China-linked APT40 group aimed at Malaysian government officials. The attackers aimed at stealing confidential documents […] | Industrial | APT 40 | |
|
2020-02-07 01:25:41 | Malaysia warns of Chinese hacking campaign targeting government projects (lien direct) | MyCERT security alert points the finger at APT40, a Chinese state-sponsored hacking crew. | Industrial | APT 40 | |
 |
2020-01-20 16:32:45 | A week in security (January 13 – 19) (lien direct) |
Our weekly security roundup for January 13-19, with a look at elastic servers, data enrichment, rootkits, regulation for deepfakes, and more.
Categories:
A week in security
Tags: apt40Ciscocitrixdata enrichmentdeepfakeselastic serversemotetrootkittravelexweleakinfo
(Read more...)
|
Industrial | APT 40 | |
|
2019-12-11 13:00:00 | L'approche mandiante de la sécurité des technologies opérationnelles (OT) The Mandiant Approach to Operational Technology (OT) Security (lien direct) |
Ce post explique la philosophie mandiante et l'approche plus large de la sécurité des technologies opérationnelles (OT).En résumé, nous constatons que la visibilité combinée dans les environnements IT et OT est essentielle pour détecter l'activité malveillante à tout stade d'une intrusion OT.L'approche mandiante de la sécurité OT est de:
détecter les menaces tôt en utilisant la conscience de la situation complète de It et OT Networks.
La surface de la plupart des intrusions transcende les couches architecturales car à presque tous les niveaux en cours de route, il y a des ordinateurs (serveurs et postes de travail) et des réseaux utilisant le même ou similaire
This post explains the Mandiant philosophy and broader approach to operational technology (OT) security. In summary, we find that combined visibility into both the IT and OT environments is critical for detecting malicious activity at any stage of an OT intrusion. The Mandiant approach to OT security is to: Detect threats early using full situational awareness of IT and OT networks. The surface area for most intrusions transcends architectural layers because at almost every level along the way, there are computers (servers and workstations) and networks using the same or similar |
Industrial | ★★★ | |
|
2019-09-30 12:00:00 | Le Fireeye OT-CSIO: une ontologie pour comprendre, ré-comparer et évaluer les incidents de cybersécurité en technologie opérationnelle The FireEye OT-CSIO: An Ontology to Understand, Cross-Compare, and Assess Operational Technology Cyber Security Incidents (lien direct) |
The FireEye Technology Technology Cyber Security Incident Ontology (OT-CSIO)
Alors que le nombre de Menaces to Operational Technology (OT) ont considérablement augmenté depuis la découverte de Stuxnet & # 8211;Poussé par des facteurs tels que la convergence croissante avec les réseaux de technologies de l'information (TI) et la disponibilité croissante des informations sur les informations, la technologie, les logiciels et les documents de référence & # 8211;Nous n'avons observé qu'un petit nombre d'attaques axées sur le monde réel.La taille limitée de l'échantillon des attaques OT bien documentées et le manque d'analyse du point de vue du niveau macro représente un défi pour
The FireEye Operational Technology Cyber Security Incident Ontology (OT-CSIO) While the number of threats to operational technology (OT) have significantly increased since the discovery of Stuxnet – driven by factors such as the growing convergence with information technology (IT) networks and the increasing availability of OT information, technology, software, and reference materials – we have observed only a small number of real-world OT-focused attacks. The limited sample size of well-documented OT attacks and lack of analysis from a macro level perspective represents a challenge for |
Industrial | ★★★★ | |
|
2019-04-09 23:00:00 | Profil TTP de l'acteur de Triton, outils d'attaque personnalisés, détections et mappage ATT & CK TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping (lien direct) |
Présentation
Fireeye peut désormais confirmer que nous avons découvert et répond à une intrusion supplémentaire par l'attaquant derrière Triton dans une installation d'infrastructure critique différente .
En décembre 2017, Fireeye a publié publiquement notre première analyse sur l'attaque de Triton où les acteurs malveillants ont utilisé le cadre d'attaque personnalisé de Triton pour manipuler les systèmes de sécurité industrielle dans une installation d'infrastructure critique et ont provoqué par inadvertance un arrêt de processus.Dans la suivante recherche Nous avons examiné comment les attaquants peuvent avoir eu accès à des composants critiques nécessairesPour construire le cadre d'attaque de Triton
Overview FireEye can now confirm that we have uncovered and are responding to an additional intrusion by the attacker behind TRITON at a different critical infrastructure facility. In December 2017, FireEye publicly released our first analysis on the TRITON attack where malicious actors used the TRITON custom attack framework to manipulate industrial safety systems at a critical infrastructure facility and inadvertently caused a process shutdown. In subsequent research we examined how the attackers may have gained access to critical components needed to build the TRITON attack framework |
Industrial | ★★★ | |
|
2019-03-06 07:59:00 | APT40 cyberespionage group supporting growth of China\'s naval sector (lien direct) | A cyber-espionage group, tracked as APT40, apparently linked to the Chinese government is focused on targeting countries important to the country's Belt and Road Initiative. The cyber-espionage group tracked as APT40 (aka TEMP.Periscope, TEMP.Jumper, and Leviathan), apparently linked to the Chinese government, is focused on targeting countries important to the country's Belt and Road Initiative […] | Industrial | APT 40 | |
 |
2019-03-05 13:19:03 | State-Sponsored Hackers Supporting China\'s Naval Modernization Efforts: Report (lien direct) | APT40 Hackers Appear to be Supporting China's Belt and Road Initiative | Industrial | APT 40 | |
|
2018-11-15 11:04:02 | Chinese TEMP.Periscope cyberespionage group was using TTPs associated with Russian APTs (lien direct) | Chinese TEMP.Periscope cyberespionage group targeted a UK-based engineering company using TTPs associated with Russia-linked APT groups. Attribution of cyber attacks is always a hard task, in many cases attackers use false flags to masquerade their identities. Chinese hackers have targeted a UK-based engineering company using techniques and artifacts attributed to the Russia-linked APT groups Dragonfly and […] | Industrial | APT 40 | |
|
2018-10-23 10:00:00 | Attribution de Triton: le laboratoire appartenant à un gouvernement russe a probablement construit des outils d'intrusion personnalisés pour les attaquants de Triton TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers (lien direct) |
Présentation
Dans un article de blog précédent, nous avons détaillé l'intrusion de Triton qui a eu un impact sur les systèmes de contrôle industriel (ICS) dans une installation d'infrastructure critique.Nous suivons maintenant cet ensemble d'activités comme Temp.veles.Dans ce billet de blog, nous fournissons des informations supplémentaires reliant Temp.veles et leur activité entourant l'intrusion de Triton à un institut de recherche appartenant au gouvernement russe.
Triton Intrusion démontre des liens russes;Probablement soutenu par l'Institut de recherche russe
Le renseignement Fireeye évalue avec une grande confiance que l'activité d'intrusion qui a conduit au déploiement de Triton a été soutenue par le
Overview In a previous blog post we detailed the TRITON intrusion that impacted industrial control systems (ICS) at a critical infrastructure facility. We now track this activity set as TEMP.Veles. In this blog post we provide additional information linking TEMP.Veles and their activity surrounding the TRITON intrusion to a Russian government-owned research institute. TRITON Intrusion Demonstrates Russian Links; Likely Backed by Russian Research Institute FireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of TRITON was supported by the |
Tool Industrial | ★★★★ | |
|
2018-10-11 09:30:00 | Tendances de sécurité tactique ICS: analyse des risques de sécurité les plus fréquents observés sur le terrain ICS Tactical Security Trends: Analysis of the Most Frequent Security Risks Observed in the Field (lien direct) |
Introduction
Fireeye Isight Intelligence a compilé des données approfondies à partir de dizaines d'Iscolys Assessment Engagements (ICS HealthCheck) effectué par l'équipe de conseil Mandiant, Fireeye \\, pour identifier les risques de sécurité prioritaires les plus omniprésents et les plus élevés dans les installations industrielles.Les informations ont été acquises à partir d'évaluations pratiques réalisées au cours des dernières années dans un large éventail d'industries, notamment la fabrication, l'exploitation minière, l'automobile, l'énergie, le produit chimique, le gaz naturel et les services publics.Dans cet article, nous fournissons des détails sur ces risques et indiquons les meilleures pratiques et
Introduction FireEye iSIGHT Intelligence compiled extensive data from dozens of ICS security health assessment engagements (ICS Healthcheck) performed by Mandiant, FireEye\'s consulting team, to identify the most pervasive and highest priority security risks in industrial facilities. The information was acquired from hands-on assessments carried out over the last few years across a broad range of industries, including manufacturing, mining, automotive, energy, chemical, natural gas, and utilities. In this post, we provide details of these risks, and indicate best practices and |
Industrial | ★★★★ | |
 |
2018-07-20 09:33:00 | TEMP.Periscope : Des pirates Chinois, amateurs d\'éléctions présidentielles ? (lien direct) | Il n’y aurait pas que les pirates Russes amateurs d’éléctions ? Le groupe d'espionnage chinois TEMP.Periscope cible... L'article TEMP.Periscope : Des pirates Chinois, amateurs d’éléctions présidentielles ? est apparu en premier sur Data Security Breach. | Industrial | APT 40 | |
|
2018-07-12 08:22:03 | China-based TEMP.Periscope APT targets Cambodia\'s elections (lien direct) | FireEye uncovered a large-scale Chinese phishing and hacking campaign powered by Temp.periscope APT aimed at Cambodia’s elections. Security researchers at FireEye have uncovered a large-scale Chinese phishing and hacking campaign aimed at Cambodia’s elections. The hackers distributed a remote access trojan (RAT) and data exfiltration operation targeting the poll. The experts from FireEye attributed the attacks to an APT group tracked […] | Industrial | APT 40 | |
|
2018-07-10 07:00:00 | Le groupe d'espionnage chinois Temp.Periscope cible le Cambodge avant les élections de juillet 2018 et révèle de larges opérations à l'échelle mondiale Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally (lien direct) |
Introduction
Fireeye a examiné une gamme d'activités de périccope révélant un intérêt étendu pour la politique du Cambodge \\, avec des compromis actifs de plusieurs entités cambodgiennes liées au système électoral du pays.Cela comprend les compromis des entités gouvernementales cambodgienes chargées de superviser les élections, ainsi que le ciblage des chiffres de l'opposition.Cette campagne se déroule dans la mise en ligne vers les élections générales du 29 juillet 2018 du pays.Temp.Periscope a utilisé la même infrastructure pour une gamme d'activités contre d'autres cibles plus traditionnelles, y compris la base industrielle de la défense
Introduction FireEye has examined a range of TEMP.Periscope activity revealing extensive interest in Cambodia\'s politics, with active compromises of multiple Cambodian entities related to the country\'s electoral system. This includes compromises of Cambodian government entities charged with overseeing the elections, as well as the targeting of opposition figures. This campaign occurs in the run up to the country\'s July 29, 2018, general elections. TEMP.Periscope used the same infrastructure for a range of activity against other more traditional targets, including the defense industrial base |
Industrial | APT 40 | ★★★★ |
 |
2018-07-05 17:10:01 | Threat Model Thursdays: Crispin Cowan (lien direct) | Over at the Leviathan blog, Crispin Cowan writes about “The Calculus Of Threat Modeling.” Crispin and I have collaborated and worked together over the years, and our approaches are explicitly aligned around the four question frame. What are we working on? One of the places where Crispin goes deeper is definitional. He’s very precise about … Continue reading "Threat Model Thursdays: Crispin Cowan" | Threat Industrial | APT 40 | |
|
2018-06-07 09:00:00 | Un traité totalement tubulaire sur Triton et Tristation A Totally Tubular Treatise on TRITON and TriStation (lien direct) |
Introduction
En décembre 2017, Fireeye \'s mandiant a discuté d'une réponse incidente impliquant le framework .L'attaque de Triton et bon nombre des intrusions de CI sur les ICS impliquaient des techniques de routine où les acteurs de la menace n'utilisaient que ce qui est nécessaire pour réussir dans leur mission.Pour Industryer et Triton, les attaquants sont passés du réseau informatique vers le réseau OT (technologie opérationnelle) à travers des systèmes accessibles aux deux environnements.Bargades de logiciels malveillants traditionnels, distillats Mimikatz, sessions de bureau à distance et autres attaques bien documentées et facilement détectées
Introduction In December 2017, FireEye\'s Mandiant discussed an incident response involving the TRITON framework. The TRITON attack and many of the publicly discussed ICS intrusions involved routine techniques where the threat actors used only what is necessary to succeed in their mission. For both INDUSTROYER and TRITON, the attackers moved from the IT network to the OT (operational technology) network through systems that were accessible to both environments. Traditional malware backdoors, Mimikatz distillates, remote desktop sessions, and other well-documented, easily-detected attack |
Malware Threat Industrial | ★★★★ | |
 |
2018-03-20 09:52:03 | Un groupe de cyber-espionnage chinois s\'attaque à des entreprises américaines (lien direct) |  Un groupe de cyber-espionnage chinois (TEMP.Periscope) s'attaque à des entreprises américaines dans les secteurs de l'ingénierie et du maritime. |
Industrial | APT 40 | |
|
2018-03-17 16:49:02 | Chinese APT Group TEMP.Periscope targets US Engineering and Maritime Industries (lien direct) | The China-linked APT group Leviathan. aka TEMP.Periscope, has increased the attacks on engineering and maritime entities over the past months. Past attacks conducted by the group aimed at targets connected to South China Sea issues, most of them were research institutes, academic organizations, and private firms in the United States. The group has also targeted professional/consulting services, high-tech industry, […] | Industrial | APT 40 | |
|
2018-03-16 20:36:03 | (Déjà vu) China-linked Hackers Target Engineering and Maritime Industries (lien direct) | A China-related cyberespionage group that has been active for half a decade has increased its attacks on engineering and maritime entities over the past months, FireEye reports. Referred to as Leviathan or TEMP.Periscope, the group has been historically interested in targets connected to South China Sea issues, which hasn't changed in the recently observed attacks. Targets include research institutes, academic organizations, and private firms in the United States. “The current campaign is a sharp escalation of detected activity since summer 2017. Like multiple other Chinese cyber espionage actors, TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit,” FireEye says. | Industrial | APT 40 | |
|
2017-12-14 15:00:00 | Les attaquants déploient un nouveau cadre d'attaque ICS «Triton» et provoquent une perturbation opérationnelle des infrastructures critiques Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure (lien direct) |
Introduction
mandiant a récemment répondu à un incident dans une organisation d'infrastructure critique où un attaquant a déployé des logiciels malveillants conçus pour manipuler les systèmes de sécurité industrielle.Les systèmes ciblés ont fourni une capacité d'arrêt d'urgence pour les processus industriels.Nous évaluons avec une confiance modérée que l'attaquant développait la capacité de causer des dommages physiques et des opérations d'arrêt par inadvertance.Ce logiciel malveillant, que nous appelons Triton, est un cadre d'attaque conçu pour interagir avec les contrôleurs de système instrumentés de sécurité Triconex (SIS).Nous n'avons pas attribué l'incident à un
Introduction Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes. We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. We have not attributed the incident to a |
Malware Industrial Technical | ★★★★ | |
 |
2017-10-19 09:50:25 | Group launches Cyber Attacks against Maritime and Defense sectors (lien direct) | >Leviathan, an espionage group active since 2014, is launching cyber attacks against the maritime and defense sectors- focusing specifically on contractors and associated University Research institutions. View Full Story ORIGINAL SOURCE: ZDNet | Industrial | APT 40 | |
|
2016-06-02 09:00:00 | Irongate ics malware: rien à voir ici ... masquer l'activité malveillante sur les systèmes SCADA IRONGATE ICS Malware: Nothing to See Here...Masking Malicious Activity on SCADA Systems (lien direct) |
Dans la seconde moitié de 2015, l'équipe Flare a identifié plusieurs versions d'un logiciel malveillant axé sur les CI ICS fabriqué pour manipuler un processus industriel spécifique exécutant dans un environnement de système de contrôle Siemens simulé.Nous avons nommé cette famille de logiciels malveillants irongate.
Flare a trouvé les échantillons sur Virustotal lors de la recherche de gouttes compilés avec Pyinstaller - une approche utilisée par de nombreux acteurs malveillants.Les échantillons irongés se sont démarqués en fonction de leurs références à SCADA et aux fonctionnalités associées.Deux échantillons de la charge utile de logiciels malveillants ont été téléchargés par différentes sources en 2014, mais aucun des antivirus
In the latter half of 2015, the FLARE team identified several versions of an ICS-focused malware crafted to manipulate a specific industrial process running within a simulated Siemens control system environment. We named this family of malware IRONGATE. FLARE found the samples on VirusTotal while researching droppers compiled with PyInstaller - an approach used by numerous malicious actors. The IRONGATE samples stood out based on their references to SCADA and associated functionality. Two samples of the malware payload were uploaded by different sources in 2014, but none of the antivirus |
Malware Industrial | ★★★★ |
To see everything:
Our RSS (filtrered)
